Firefox likely to win race to fix PWN2OWN contest bug

It's unlikely that either Microsoft or Apple will patch their browsers' bugs before Mozilla. Apple, for example, never generates Safari patches within such a short time span. For that matter, neither does Microsoft.

(If you are a conspiracy theorist, you may ask yourself why Microsoft waited for the final released version of IE8 to break the exploit technique, instead of including it in previous beta updates, as they surely didn’t do it overnight, and not for the benefit of pwn2own!)

Click to expand...

To be fair, IE can't be included as they knew about and found a way to mitigate against the exploit technique before the contest started. As pointed out, the patch was already included in the version released the next day.

All this proved was that Mozilla fixed Nil's Firefox bug faster than Apple fixed his Safari bug (both browsers running on a MacBook).

Personally, I don't consider the 'race' by itself of much significance. What's more important and why I posted the article for discussion was the larger question it raised about who fixes their bugs sooner, especially the serious ones.

To be fair, IE can't be included as they knew about and found a way to mitigate against the exploit technique before the contest started.

Click to expand...

Fairness is a wonderful attribute. Unfortunately, it also often has little to do with reality. Microsoft's fix was delivered one day later, Mozilla's in three weeks, and that's all that matters if we want to talk about the race to fix the PWN2OWN bugs. And if Microsoft's one day somehow doesn't make them faster than Mozilla's three weeks, then all I can say is that it's Apple who was "fastest", not Mozilla.

"Nils' exploit is only broken when IE8 is running in Windows Vista SP1 or Windows 7," she said. "The vulnerability is absolutely there, so for IE8 on Windows XP, which lacks ASLR and DEP, it can be exploited using commonly known techniques."

Also at risk, said Forslof, are users running IE8 on the browser's Intranet security zone, no matter what operating system is on the machine. "If an organization is compromised, the flaw could still be exploited from the internal network on machines running Windows Vista and IE8," she said.